Silent Mobile Threat: How Apps Steal Your Data

Domingo Guerra, Appthority’s president, cofounded the company in 2011 to help the enterprise solve new security challenges in an increasingly mobile, app-centric world. He is the leader of Appthority’s Enterprise Mobile Threat Team, where he specializes in identifying mobile app risks and behavior trends, and advising the enterprise of the business risk associated with data breaches, losses and leakage tied to today’s dynamic workforce. Learn more at https://www.appthority.com/.

Do your personal mobile apps steal data from you, with or without your consent? On the business side, does this mobile surveillance put your company’s data at risk? Read this insightful guest blog from Appthority Co-Founder and President Domingo Guerra.

It seems like a fair trade: Get your favorite mobile apps free, and watch annoying ads in return. Unfortunately, that is not all you do in return.

In reality, you give up a great deal of personal information. Mobile apps collect a massive amount of personal data—your location, your online history, your contacts, your schedule, your identity and more. The app instantly shares your information with mobile advertising networks. Those networks then use your personal information to determine the best ad at any given time and place.

Growing Privacy Threat: Mobile Surveillance

The tradeoff is not really ads for apps; it is intrusive mobile surveillance for apps. By agreeing to free, ad-sponsored mobile apps, we consent to an economic model that entails continuous and comprehensive personal surveillance. It is what Al Gore accurately characterized as the stalker economy.

Why is our personal, location and behavioral data so coveted by marketers? Because a smartphone is something that we as consumers carry everywhere we go. Our smartphones constantly broadcast personal data of all kinds. If advertisers know who we are, where we are and what we do, they can deliver ads that are more effective. Proximity marketing is the ad that pings your phone as you walk through the aisles. “Save 10% now on mouthwash.”

Sounds innocuous, if annoying, but it goes much further than this. We now enable a system where a major retailer can know, for example, that a teenager is pregnant before her parents do simply by correlating her activity, search and purchase data. That retailer can then reach out via mail or email or target her via phone when she is near a point of sale.

This intrusion on our collective privacy is not going away anytime soon (if ever), as the economic incentives for app developers and advertisers are too strong.

Enterprise Data at Risk, Too

Okay, agreed, this kind of consumer surveillance is intrusive and creepy, but how does it threaten enterprise security? Simple. As personally owned mobile devices invade the business world, leaks from those devices open the door to corporate hacks, stolen business data and crippling cyber attacks.

For instance, if a company lets its employees sync their corporate calendars and email accounts to their personal mobile devices, this opens up all sorts of risks. Suddenly, employees’ phones contain or access the contact information of everyone in the organization. Further, any mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees. Those apps can get dial-in codes for all private conference calls. A malicious app or hacker can easily use this information in a spear phishing attack.

Worse, many apps monetize their user bases by sharing data with ad networks that share and combine data with other networks. It is impossible to know exactly where data is going and whether any of the many parties that have access to this data handle it securely. All of this sharing means a malicious hacker does not even have to access an employee’s phone to attack a company. He can hack an ad network with the information from millions of users and go from there.

Stolen information can also attack an enterprise through a watering hole attack. For example, your company executives eat lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. The attacker correctly assumes that some of the execs are accessing the restaurant’s website to make reservations and browse the menu before lunch. By placing malware on the lightly defended site, the attacker can compromise the office computer or mobile device of one or more company executives. From there, the attacker can launch a successful breach.

A compromised smartphone represents a threat not just to the targeted employee, but also to the entire company.

Information about employees’ activities both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be devastating to an organization if it gets into the wrong hands.

So What Should Enterprises Do to Combat the Threat?

The first step to combating these threats is visibility. Your organization needs to know what apps employees are using, what those apps are doing and whether or not they comply with corporate security policies. For example, is there a particularly risky file-sharing app you do not want employees to use? Is it already used? If you do not know which apps your employees use for work, you are flying blind and taking a huge risk.

However, your organization also has a responsibility to protect your employees’ privacy.

For example, it may not be prudent for “Jack from IT” to know that “Jill from finance” has a dating app or a diabetes app on her phone. Further, if employees fear a “big brother” scenario where IT is always looking over their shoulder, they may opt out of using security tools altogether leading to Shadow IT and making your enterprise less secure.

Balancing Privacy & Security

So, how do large enterprises balance the need for mobile security and employee privacy? By employing a Blind

Click to download our free eBook.

Enforcement model, where all IT sees is whether a device (using an anonymized device ID) is compliant or not while simultaneously empowering employees, but providing automate risk education so they can self-manage and self-remediate their devises for mobile risk.

This model represents a win-win, by giving IT and security teams peace of mind that the devices that are connecting to corporate email, corporate Wi-Fi, and corporate/managed apps are compliant. Users also see this model as a win, as they are given a tool to manage and protect their own privacy and security. Whether in BYO or corporate-owned environments, we often ask our employees to agree to a mobile policy, but usually don’t provide education or tools for them to know if they are in compliance. Using an automated Mobile Threat Protection solution with Blind Enforcement like Appthority, both IT and employees can feel safe.

There are other benefits of bringing the employee into the workflow with a self-management and self-remediation model. For one, it decreases the workload on IT or Security teams. These teams no longer become bottlenecks in compliance and enforcement workflows and instead give an opportunity for employees to comply, knowing that if they don’t comply in a certain time period, the system will automatically restrict the employees’ access to sensitive company data and networks. Second, it provides on-the-fly security education and training to employees, allowing them to be part of the solution and not just part of the problem. Finally, it changes user behavior to not only improve the current state of security across your mobile fleet, but also improve the security of future use.

Next, you need a policy for managing the use of mobile devices. Most organizations already have policies for other platforms, including managing firewalls and sharing data with partners.

It is equally important to create these policies for mobile. For instance, if employees use free versions of apps that are approved by the company but ad-supported, create a policy that requires employees to upgrade to the paid version. This helps minimize, if not eliminate, unsanctioned data in the form of ads being sent to employees—though it does not eliminate the relentless collection of personal and private data.

A good next step is to educate employees about the risks of the apps they download. It is in your best interest to empower users by arming them with tools and training to make better decisions about what apps they download. For instance, coach your employees to question apps that ask for permission. Many apps want to access location, contacts or camera.

Employees do not have to say “yes” automatically. If an app does not say why it needs access, that is a big red flag.

Most apps work fine if the user denies the request. If the app really needs access to work, it will prompt users again for permission.

Enterprises can address all of these areas with a good mobile security solution. Any enterprise without a mobile threat protection solution is, by definition, unaware of its mobile risks and related data losses. It is therefore imperative that your enterprise include mobile threat protection as part of its overall security strategy. With the right mobile security platform, you take a huge step toward protecting both employee privacy and company data from the ever-growing threat of mobile surveillance and data gathering.